55.000 hacked Twitter accounts leaked… or?

Update: I checked some accounts, and the e-mail ones seem to originate from the June 2011 leak by Lulzsec.
When looking at the spam-accounts, Google suggested this site as could be the original source for a bunch of them at least… ;P

For updates on this, and other programming/security stuff, follow me on Twitter: @nilssonanders

I took a look at the files, and gathered some statistics!

There are a total of 58.973 lines in total in all of the files (including whitespace).

If we sort out all the duplicate accounts, we end up with 34.062 unique accounts, where a handful are obviously incorrect when looking at the data.

There are two kinds of accounts in the list, ones with a user name (e.g. ”Hayleyjsvze”), and ones with an e-mail (e.g. ”[email protected]”). On Twitter, you can login with either your user name, or your e-mail, so that could be the reason there are two different kinds.. or?

Of the 34.062 unique accounts, 25.068 accounts seems to be an e-mail address. Those accounts look ”real”. They all seem to have ”regular” passwords (easier words, numbers). The rest of the accounts, the ones that aren’t based on an e-mail address, all seem to be spam-accounts. They have a few, if any, posts, following many others, but very few followers of their own. And they all have random 8 character passwords..

Now, looking back to the real accounts, here are some statistics from the e-mails used for the accounts:

Total number of accounts: 34.062 Total number of e-mails: 25.068 (where a few are incorrect, or contain typos)
Domain "hotmail.com": 15,777
Domain "gmail.com": 2,193
Total NOT using ".com": 6,046 (but a handful of invalid e-mails in there too)
Total using ".com.br": 5,736

So, almost 95% of the country-specific e-mails are from Brazil (.com.br)! And of the ”55.000” accounts, about 9000 seem to be Twitter-spam accounts..

I think this is probably the result of either a leak of a big Brazilian hacked website, or a Brazil-targetted phishing, combined with 9000 Twitter-spam accounts.

I haven’t verified any of the accounts (of course!) so it IS possible that the e-mail accounts are actually valid for their e-mail, not actually to Twitter…

Now… looking back to the spam accounts… many of the accounts has already been suspended by Twitter, but.. here are some that are currently working:

Notice how they all have some generic profile image, screen name and full name. Also, they all have a big bunch of people they follow, a few followers of their own… and… they all retweeted the @Swagstro account…

Also, looking at their followers:

They follow about the same accounts (at least some random ones), with the top account always being @Cyberopz …

There’s definitely something more to this leak then just a generic hacked website.. weird that they combined spam-accounts and regular ones… We’ll see what else there is to find out about this.

[…] crunching the numbers and identifying the duplicate accounts shared on Pastebin, Anders Nilsson at Säkerhetsbloggen determined that the total amount of actual accounts is 34,062 and, of those, only 25,068 appear to […]

[…] thousands of other Twitter users; this is a common footprint of a Twitter spam account. An analysis by an Eset blogger found that even after deduplicating the list, 25,000 entries in the remaining […]

[…] crunching the numbers and identifying the duplicate accounts shared on Pastebin, Anders Nilsson at Säkerhetsbloggen determined that the total amount of actual accounts is 34,062 and, of those, only 25,068 appear to […]

[…] crunching the numbers and identifying the duplicate accounts shared on Pastebin, Anders Nilsson at Säkerhetsbloggen determined that the total amount of actual accounts is 34,062 and, of those, only 25,068 appear to […]